How to make an untagged access port?

RouterOS Beginner Basics
1

Hello, I have a CRS304-4XG switch that has been working well for several months connecting two proxmox hosts to upstream and downstream switches. All ports were previously used as trunk ports for some combination of VLANs.

Now I would like to connect one port as an access port (untagged) to VLAN 112 for a bare metal server. I have read a lot of documentation and tried many combinations of configurations, but nothing has made this work. Layer 1 seems to be fine, I see TX and RX packets with no errors, 5gb/s link (as expected) and the same cable plugged into a Cisco switch access port on VLAN 112 works fine. (That switch is downstream of this CRS304 and passes traffic through this CRS304 on VLAN 112 just fine.) Everything seems to work on vlans that are tagged, but untagged on this port does not work. Can someone please help?

I know this is for beginner basics but I am only beginner to Mikrotik, not to networking. I have many years of experience with Cisco switching and routing, so I understand the concepts, just not always the ways that Mikrotik uses them. Bridge VLAN Table - RouterOS - MikroTik Documentation was helpful, but doesn’t seem to contain the answer to this problem.

I tried adding vlan filtering to the bridge, but it seems to make VLAN 112 inaccessible for all ports. That shouldn’t happen with the interface bridge vlan configuration specifying as it is? I also tried a reboot, and then a RouterOS upgrade with another reboot. I had been using 7.17 previously.

Here is my current configuration that is not working ether2:

[****] > /export compact

#2026-01-28 22:18:01 by RouterOS 7.18.2

#software id = N9RK-HBAB

#model = CRS304-4XG

#serial number = ****

/interface bridge
add admin-mac=F4:1E:57:**** auto-mac=no comment=defconf name=bridge priority=0x7000
/interface vlan
add comment="VLAN 101 Interface" interface=bridge name=vlan101int vlan-id=101
/interface ethernet switch port
set 1 limit-broadcasts=no
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment="Uplink to Core Sw" interface=ether1 pvid=99
add bridge=bridge comment="Access Port to Compute2" ingress-filtering=no interface=ether2 pvid=112
add bridge=bridge comment="Trunk to Sbox MB 10G" interface=ether3 pvid=99
add bridge=bridge comment="Trunk to Block 10G" interface=ether4 pvid=99
add bridge=bridge comment="Trunk to 1g 8P Switch (MGMT)" interface=ether5 pvid=101
/ip neighbor discovery-settings
set discover-interface-list=all lldp-dcbx=no lldp-med-net-policy-vlan=1 protocol=cdp
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no allow-fast-path=no disable-ipv6=yes disable-link-local-address=yes forward=no
/interface bridge vlan
add bridge=bridge comment=101 tagged=ether1,ether3,ether4,ether5 vlan-ids=101
add bridge=bridge comment=102 tagged=ether1,ether3,ether4,ether5 vlan-ids=102
add bridge=bridge comment=103 tagged=ether1,ether3,ether4,ether5 vlan-ids=103
add bridge=bridge comment=104 tagged=ether1,ether3,ether4,ether5 vlan-ids=104
add bridge=bridge comment=105 tagged=ether1,ether3,ether4,ether5 vlan-ids=105
add bridge=bridge comment=106 tagged=ether1,ether3,ether4,ether5 vlan-ids=106
add bridge=bridge comment=111 tagged=ether1,ether3,ether4,ether5 vlan-ids=111
add bridge=bridge comment=166 tagged=ether1,ether3,ether4,ether5 vlan-ids=166
add bridge=bridge comment=112 tagged=ether1,ether3,ether4,ether5 untagged=ether2 vlan-ids=112
add bridge=bridge comment="PineStaging 201 Temp (do not use)" tagged=ether1,ether3,ether4 vlan-ids=201
add bridge=bridge comment=32 tagged=ether1,ether4,ether3 vlan-ids=32
add bridge=bridge comment="199 Sync" tagged=ether1,ether3,ether4,ether5 vlan-ids=199
add bridge=bridge comment=SimWAN tagged=ether1,ether3,ether4,ether5 vlan-ids=88
/ip address
add address=.../24 comment=defconf interface=vlan101int network=...
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system identity
set name=MT
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=...

Thank you for any help you can provide!

2

Basics,
The only vlan that needs to be defined is the base or management vlan, and its the only vlan tagged with the bridge. In your case, one would assume its 101 but you have the uplink (source for vlans) being the core switch and its not a trunk port you have it with PVID so an access port ??? Makes no sense.

Then you have trunki ports to 3,4,5 but again, with pvid so not trunk and like ether1, setup as more like a hybrid then trunk. The only port shown as untagged is for vlan112 on ether2, so it seems this port is consistent.

Assuming there are actually no hybrid ports especially the uplink port it should look like.....
All should ingress filtering=yes, which is the default setting in Ros Version 7 software.
(unless a true hybrid port where one has no ingress filtering and frame-types=admit all)

/interface bridge port
add bridge=bridge comment="Uplink" frame-types=admit-only-vlan-tagged \
   interface=ether1
add bridge=bridge comment="Compute2" frame-type=admit-priority-and-untagged \
   interface=ether2 pvid=112
add bridge=bridge comment="Sbox" frame-types=admit-only-vlan-tagged \
   interface=ether3 
add bridge=bridge comment="Block 10G" frame-types=admit-only-vlan-tagged \
   interface=ether4 
add bridge=bridge comment="1g 8P(MGMT)" frame-types=admit-only-vlan-tagged \
   interface=ether5
/interface list
add name=MGMT
/interface list members
add interface=vlan101int list=MGMT
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no allow-fast-path=no \
   disable-ipv6=yes disable-link-local-address=yes forward=no
/interface bridge vlan
add bridge=bridge comment="32" tagged=ether1,ether3,ether4 vlan-ids=32
add bridge=bridge comment="101" tagged=bridge,ether1,ether3,ether4,ether5 \
   vlan-ids=101
add bridge=bridge tagged=ether1,ether3,ether4,ether5 vlan-ids=88,102,103,104,\
    105,106,111,166,199,210
add bridge=bridge "comment="112" tagged=ether1,ether3,ether4,ether5 \
   untagged=ether2 vlan-ids=112
{ other additions }
/ip dns
add set servers=192.168.101.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.101.1 table=main
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Then enable bridge vlan filtering

1 Like
3

When vlan-filtering is off, the switch is operating in vlan-unaware mode, sometimes called vlan-transparent mode. In this mode, the MikroTik CRS304-4XG is ignoring everything but the mac addresses in its learning and forwarding decisions. The ethertype is just part of the payload as far as it is concerned. In this mode the switch will pass all ethernet frames as-is, so it will forward IEEE 802.1Q tagged frames as-is, but it will never add or remove vlan tags. And all ports are "identical", if an ingress frame is received without a tag, the egress frame will be untaggged, regardless of which port(s) it exits on. Likewise, if a frame is received with a tag, it will exit with a tag.

When vlan-filtering is on (vlan-filtering=yes), then the behavior of the switch is fundamentally changed. It will now inspect the first ethertype field to see if has 0x8100 as the ethertype. This is the standard TPID (tag protocol id). If the ethertype is a TPID, then it will examine the following 16 bits, the Tag control information (TCI). and extract the VID from it and the frame will be classified as belonging to the specified vlan. If the extracted VID is zero, or the frame has no tag, then the PVID configured on the port will be used to specify which vlan the frame should be associated with.

Here are the relevant parts of the config with respect to vlan 112

/interface bridge port
add bridge=bridge comment="Access Port to Compute2" ingress-filtering=no interface=ether2 pvid=112
/interface bridge vlan
add bridge=bridge comment=112 tagged=ether1,ether3,ether4,ether5 untagged=ether2 vlan-ids=112

Do you have a serial console you can work from?
If vlan-filtering is turned on from a port that isn't affected (like from the serial console), then I would expect that a PC connected to ether2 that was expecting untagged traffic to be able to communicate with other devices on vlan 112, for example a device connected to ether4 that is tagging vlan 112.

From this statement:

I will assume that the cisco switch has its trunk link port connected to the CRS304 configured with vlan 112 as the native vlan. (is that the "Uplink to Core Sw" via ether1 ?) That would explain how it is "working" when vlan-filtering is turned off, and would also explain why it stopped working when you turned vlan-filtering on; because on the MikroTik you have vlan 112 defined to use tagged frames on all ports except for ether2 (the one connect to "Computer 2" which I will assume is the one you called the "bare metal server").

If you want the trunk to the Cisco to have vlan 112 as the native vlan (on the MikroTik side), you can change your config so it is like this:

/interface bridge port
add bridge=bridge comment="Uplink to Core Sw" interface=ether1 pvid=112
/interface bridge vlan
add bridge=bridge comment=112 tagged=ether3,ether4,ether5 untagged=ether1,ether2 vlan-ids=112

Then ether1 will be a Hybrid link with "native vlan" 112. But then it will no longer pass untagged traffic for vlan 99 between ether1 and (ether3,ether4) (the bridge ports that had pvid set to 99 previously.

Without knowing how the cisco side of the trunk is configured we can't know for sure that my conjecture is true.

What test did you do to determine that the MikroTik was not passing vlan 112 traffic onec vlan filtering was enabled?

I also agree that if you are going to use vlan-filtering (and you will need to if you want full functionality), then you should not be disabling ingress-filtering, that's there to prevent unauthoized vlan traffic from entering a port, and it is the default setting as pointed out by anav.

Until you enable vlan-filtering, just about anything to do with vlans is just ignored, just like a dumb switch would. Ethernet frames that are tagged just appear to be sightly longer (by 4 octets), but no filtering is applied, received frames are forwared just as they were received (with tag if they arrived tagged). And any specification of what frame-types to admit has no effect when vlan-filtering=no.

1 Like
VLAN-Filtering enabled -> no connection
4

Thank you anav! I made those changes then enabled bridge VLAN filtering and that made the untagged port work as expected. It seems like the main reason I was not able to reach the host on ether2 was that bridge vlan filtering was disabled. Is that correct? I tried enabling it before but I got a broadcast storm. I think that is because a VM host is running RSTP incorrectly. I removed the physical loop (and the redundant network connection) from that host

When you say “hybrid port” do you mean a port that accepts both tagged and untagged traffic? (Where native/untagged VLAN is the same as PVID.) I would like to use such a configuration in the future. Would this work:

add bridge=bridge comment="Hybrid Port" frame-types=admit-all interface=ether2

I was using vlan 99 as PVID on all trunk ports because that is an old standard configuration to prevent VLAN hopping. That is probably unnecessary on switches with VLAN ingress filtering.

5

Thank you for that, buckeye, your explanation made it much clearer what was happening! It seems that vlan filtering=yes enables the behavior I was expecting.

VLAN 99 was configured as the native/PVID VLAN on all trunks. It is also filtered and undefined on the cisco switches. It’s an old way to guarantee that untagged traffic from an untrusted or mis-configured switch goes nowhere. I was/am managing the Mikrotik using an always tagged VLAN, (101) so that’s why it should have remained accessible. During the whole thing, the Mikrotik was passing vlan 112 traffic on all other (tagged) ports. I just wasn’t getting through on ether2 where it needed to be untagged.

When testing this, I discovered I had another issue that I had previously thought resolved that explained why enabling vlan filtering on the bridge didn’t work. One of the trunks goes to a linux VM host that also has a redundant link to the downstream switch. That host should be running RSTP, but for some reason the tree is not blocking properly. The active tagged VLANs were mostly blocking on a per-VLAN basis on the downstream switch, but something to do with the PVRST/RSTP interface and/or native VLAN mismatches when I started to apply Anav’s suggested configuration was creating a broadcast storm. I think that’s probably what was happening when I enabled vlan filtering before, so it’s probably more the PVRST/RSTP and not related to the native VLAN changes. I’ve shut down the redundant port for now so that there’s no longer a physical loop. RSTP/MST support on Linux still seems to be a difficulty. I might change the downstream switch over to RSTP only until I have time to troubleshoot further.

Anyway, thanks again for the thoughtful reply! I’m pretty sure the answer was to enable vlan filtering on the bridge, I just had other issues getting in the way when I did that.

6

Here is a step by step guide that is easy to follow.
https://www.youtube.com/watch?v=bZyWodIsrUs

7

A hybrid port is one where a single VLAN is passed like an access port and one or more other vlans are tagged over that port.

SO. the hybrid format is typically (switch example)
/interface bridge port
add bridge=BR1 ingress-filtering=no frame-types=admit all interface=ether2 pvid=XX

/interface bridge vlan
add bridge=BR1 tagged=ether1,ether3,ether4 untagged=ether2 vlan-id=XX
add bridge=BR1 tagged=ether1,ether2,ether3,ether4 vlan-ids=AA,BB,CC,DD

1 Like